Critical SQLite Flaw Leaves Millions of Apps Vulnerable to Hackers
Cybersecurity researchers have discovered a critical vulnerability in widely used SQLite database software that exposes billions of deployments to hackers.
Dubbed as ‘Magellan‘ by Tencent’s Blade security team, the newly discovered SQLite flaw could allow remote attackers to execute arbitrary or malicious code on affected devices, leak program memory or crash applications.
SQLite is a lightweight, widely used disk-based relational database management system that requires minimal support from operating systems or external libraries, and hence compatible with almost every device, platform, and programming language.
SQLite is the most widely deployed database engine in the world today, which is being used by millions of applications with literally billions of deployments, including IoT devices, macOS and Windows apps, including major web browsers, such as Adobe software, Skype and more.
Since Chromium-based web browsers—including Google Chrome, Opera, Vivaldi, and Brave—also support SQLite through the deprecated Web SQL database API, a remote attacker can easily target users of affected browsers just by convincing them into visiting a specially crafted web-page.
“After testing Chromium was also affected by this vulnerability, Google has confirmed and fixed this vulnerability,” the researchers said in a blog post.
SQLite has released updated version 3.26.0 of its software to address the issue after receiving responsible disclosure from the researchers.
Google has also released Chromium version 71.0.3578.80 to patch the issue and pushed the patched version to the latest version of Google Chrome and Brave web-browsers.
Tencent researchers said they successfully build a proof-of-concept exploit using the Magellan vulnerability and successfully tested their exploit against Google Home.
Since most applications can’t be patched anytime sooner, researchers have decided not to disclose technical details and proof-of-concept exploit code to the public.
“We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible,” the researchers said.
Since SQLite is used by everybody including Adobe, Apple, Dropbox, Firefox, Android, Chrome, Microsoft and a bunch of other software, the Magellan vulnerability is a noteworthy issue, even if it’s not yet been exploited in the wild.
Users and administrators are highly recommended to update their systems and affected software versions to the latest release as soon as they become available.